langfuse

Warn

Audited by Socket on May 17, 2026

1 alert found:

Anomaly
AnomalyLOW
SKILL.md

SUSPICIOUS: mostly coherent Langfuse observability skill with proportionate Langfuse credentials and normal PyPI-based installation, but it relies on a third-party community MCP package instead of the official Langfuse MCP server and forwards secret keys to that external code. This is not confirmed malware, but the trust and credential-forwarding model creates meaningful security risk, especially if users point LANGFUSE_HOST at untrusted self-hosted endpoints or enable write operations.

Confidence: 88%Severity: 68%
Audit Metadata
Analyzed At
May 17, 2026, 02:37 AM
Package URL
pkg:socket/skills-sh/avivsinai%2Flangfuse-mcp%2Flangfuse%2F@7ae1d4ecb7d9cb64038f40149abdf65f6f3a42cb
Security Audit — socket — langfuse